Elk its big log season

Copyright © 2015, SAS Institute Inc. All rights reserv ed.
ELK: IT'S BIG LOG SEASON
LOGGING FROM A TO Z

WHO WE ARE
• Brian Wilson
• Information Security Manager at SAS
• UNIX Sys Admin, Network Engineer, Infosec Engineer
• Family, Mac/Linux, Coding, Automation, Long walks on the beach
• @brianwilson / https://github.com/bdwilson
• Eric Luellen
• Sr. Information Security Engineer at SAS
• Open source technologies, network security monitoring, active defenses
• Snowboarding, volleyball, basketball, anything away from a computer
• @ericl42 / https://github.com/ericl42

WHY DO WE CARE ABOUT LOGS?
• Regulatory & compliance requirements
• HIPAA, SOX, PCI
• Troubleshooting
• Incident Response
• Proactive resource planning
• Logs are the building blocks of other projects
• Prove value of log data for future technology investment!

SO WHY HAVEN’T WE DONE ANYTHING
• Resources – Time, Money, & People
• Volume of data
• Disparate sources, formatting issues
• Application logs don’t follow same standard as OS logs
• Cooperation from other groups
• Unsure how to obtain and locate sources

WHAT ARE THE REQUIREMENTS?
• Simple to use
• The goal is to reduce the reaction time and make it easier to track down a
problem, resolve an incident, or search for some data point.
• Scalable
• As log sources and events/second grow, your solution has to scale as well.
• Expandable
• Easy to incorporate or feed into other systems.
• Notifications/Alerting
• Know when your log sources are deviating from defined criteria.

LOGISTICAL PREPARATION
• Identify the data sources
• Authentication Failures/Success
• UNIX, Windows, DLP, Anti-Virus, Web,
Applications…
• Configure sources for proper logging
• Determine location of syslog collector(s)
• DMZ, Cloud...
• Open firewall port(s)

ARCHITECTURE

HOW DO WE GET THE LOGS THERE?
• UNIX
• Local syslog settings
• auth.*;authpriv.* @syslog.domain.net
• Agent based (Nxlog)
• Windows
• Agent based (Nxlog)

NXLOG EXAMPLE
<Input in>
Module im_msvistalog
ReadFromLastTrue
Query <QueryList>
<Query Id="0">
<Select Path="Security">*[System[(EventID='4624')]]</Select>
<Select Path="Security">*[System[(EventID='4625')]]</Select>
</Query>
</QueryList>
Exec to_syslog_bsd();
Exec if $raw_event =~ /Account Name:s+S+$s+Account Domain:/ drop();
else if $raw_event =~ /^(.+)Detailed Authentication Information:/ $raw_event = $1; if $raw_event =~ s/t/ /g {}
</Input>
<Output out>
Module om_udp
Host X.X.X.X
Port 2514
</Output>
<Route 1>
Path in => out
</Route>

• Basic aggregation of logs
• Filters and funnels logs as needed
• Ability to send to various locations
• Configured using syslog-ng.conf file

SYSLOG-NG CONFIGURATION
source s_remote_logs_unix {
udp(port(514) so_rcvbuf(67108864)); };
destination d_hosts_unix {
file("/mnt/logs/UNIX/$YEAR-$MONTH-$DAY-sys01.log"
dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_remote_server {
udp("192.168.1.20" port(1234) spoof_source(yes) ); };
filter f_trash { (match("some specific expression")
or match("asdfjkl;")
or host("server1.domain.net") and match("xxx") ); };
log { source(s_remote_logs_unix); filter(f_trash); destination(d_junk); flags(final); };
log { source(s_remote_logs_unix); destination(d_remote_server); };
log { source(s_remote_logs_unix); destination(d_hosts_unix); };

• Inputs
Processes logs of all shapes and sizes
• Filters
• Allows you to parse and transform the logs
• Can easily support custom log formats
• Outputs
• Send the new “pretty” logs wherever you want

CUSTOM LOGSTASH CONFIG
input {
file {
type => "video-syslog"
exclude => ["*.gz"]
start_position => "end"
path => [ "/mnt/logs/video/*.log"] } }
filter {
grok {
overwrite => [ "message", "host" ]
match => [
"message", "%{DATESTAMP:timestamp} %{PROG:program} %{WORD:status} %{NUMBER:priority:float} %{GREEDYDATA:creation} %{INT:bytes}
%{INT:hitcount} %{GREEDYDATA:url} /disk%{GREEDYDATA:location}",
"message", "%{HOST:host} %{GREEDYDATA:url} %{INT:bytes_sent} %{INT:obj_size} %{INT:bytes_recvd} %{WORD:method} %{INT:status}
[%{DATA:time_recvd}+0000] %{INT:time_to_serve}“ ]
add_tag => [ "bytes", "hitcount", "url", "location" ]
tag_on_failure => [] } }
output {
elasticsearch {
protocol => "node"
host => "es-server1.domain.net,es-server2.domain.net,es-server3.domain.net"
cluster => "my-elasticsearch-cluster"
index => "video-%{+YYYY.MM.dd}“ } }

NETFLOW LOGSTASH CONFIG
input {
udp {
port => 9996
codec => netflow {
definitions => "/etc/logstash/logstash-1.4.2/lib/logstash/codecs/netflow/netflow.yaml" } } }
output {
stdout { codec => rubydebug }
if ( [host] =~ "10..*" or [host] =~ "1.1.1.1") {
elasticsearch {
embedded => "false"
protocol => "node"
index => "netflow-hq-%{+YYYY.MM.dd}" } }
else {
elasticsearch {
embedded => "false"
protocol => "node"
index => "netflow-remote-%{+YYYY.MM.dd}" } } }

• Architecture
• Easily scalable
• High availability
• Multi-tenancy
• Searching
• Based off of Lucene
• Real time search and analytics engine
• RESTful API

• Graphical representation of the logs
• Provides the user’s “pretty” interface
• Customizable dashboards
• Connects directly to Elasticsearch

HTTPD CONFIG
<Directory /var/www/html/kibana>
SSLRequireSSL
</Directory>
ProxyRequests off
ProxyPass /elasticsearch/ http://192.168.1.10:9200/
<Location /elasticsearch/>
ProxyPassReverse /
SSLRequireSSL
</Location>
<AuthnProviderAlias ldap ldap-domain>
AuthLDAPURL
"ldap://domain:3268/DC=XX,DC=YYY,DC=com?sAMAccountName??(!(user
AccountControl:1.2.840.113556.1.4.803:=2))"
AuthLDAPBindDN "cn=Bind_Name,cn=Users,dc=XX,dc=YYY,dc=com"
AuthLDAPBindPassword ThisIsthePassword
</AuthnProviderAlias>
<Location /kibana-helpdesk>
AuthType Basic
AuthName "USE WINDOWS PASSWORD"
AuthBasicProvider ldap-domain
AuthLDAPRemoteUserAttribute sAMAccountName
AuthLDAPBindDN "cn=Bind_Name,cn=Users,dc=XX,dc=YYY,dc=com"
AuthLDAPBindPassword ThisIsthePassword
AuthLDAPURL
"ldap://domain:3268/DC=XX,DC=YYY,DC=com?sAMAccountName"
Require ldap-group CN=Help Desk,OU=Groups,DC=XX,DC=YYY,DC=com
Require ldap-group CN=Security
Team,OU=Groups,DC=XX,DC=YYY,DC=com
order allow,deny
allow from all

• Meant to be a HIDS solution
• Log analysis
• File integrity checking
• Policy monitoring
• Rootkit detection
• Real-time alerting & active response
• Has it’s own web UI
• Uses basic logic to correlate and alert on specific events

OSSEC RULE EXAMPLE
<rule id="100100" level="0">
<decoded_as>aaa-logins</decoded_as>
<description>Group of AAA rules.</description>
</rule>
<rule id="100101" level="5">
<if_sid>100100</if_sid>
<match>Failed-Attempt|Authen failed</match>
<description>AAA authentication failures.</description>
</rule>
<rule id="100102" level="10" frequency="10" timeframe="120">
<if_matched_sid>100101</if_matched_sid>
<same_user />
<description>Multiple AAA authentication failures.</description>
</rule>

MAINTENANCE & UPKEEP
• Syslog-ng
• Bash scripts for combining and aging
out files
• Elasticsearch
• Curator, Elastic HQ, curl scripts
• Logstash
• Logrotate, init.d scripts to launch instances
• OSSEC
• Stay up-to-date on rules and create custom rules as needed

WHERE DO WE GO FROM HERE?
• Everyone has logs and a need to deal with them
• Share your solution with the groups that provided logs and
support orgs – may require custom pages to limit info
• Develop your work plan to review visual and OSSEC alerts
• Build response & monitoring capabilities
• Show value of logs to the org for future tools

Elk its big log season

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Elk its big log season

Similaire à Elk its big log season (20)

Dernier

Dernier (20)

Elk its big log season